Please clarify this requirement: "As a best practice, identity verification SHOULD be at a minimum of IAL2 or LoA-3 for professionals who are end users of health IT systems and for an implementer’s overall operations.":

• This is on the Patient Matching page. Is it only meant for the requester of a patient match, or is it for any possible FHIR request?
• Is this a suggestion to the requesting organization to ID proof the person to this level when they provision them as a user, or to the responding system to reject a FHIR request if an identity verification level is asserted that is under these levels?